PETALING JAYA: As 2025 winds down and CyberSecurity Malaysia chief Datuk Dr Amirudin Abdul Wahab nears his retirement on Jan 13, 2026, his focus is not on trophies or policy wins but instead on a stubborn blind spot he says Malaysia still has not fixed: real understanding.
“Awareness has gone up, but it is still shallow. We run countless campaigns and programmes, yet basic cyber hygiene remains weak.
“People still use default or ridiculously simple passwords. And even when they get fancy with complex ones, they recycle them across emails, apps, everything.
“That is an open invitation for attackers the moment one platform gets hacked,” he told theSun.
He said technological advances have made the problem harder rather than easier as deception becomes increasingly convincing.
“Now, voices, videos and images can all be faked. With deepfake technology, it is becoming more difficult to distinguish what is real and what is not.”
From his observations, Amirudin said exposure to cyber risks cuts across age groups, but for different reasons.
“I can categorise three groups. Young adults who are very tech savvy and highly dependent on digital services often assume they know what they are doing.
“Older users tend to be more trusting. Children are exposed to devices very early, without realising the threats outside,” he said, citing risks such as online grooming, scams and cyberbullying.
He warned that exposure without understanding creates false confidence rather than resilience, stressing that responsibility cannot sit with a single party.
“Cybersecurity is a shared responsibility. It is not only the government’s job or the platform’s job or the parents’ job.
“Police also cannot stand in front of your house 24 hours a day. You still need to lock your gate, your doors and your windows.”
That behavioural gap is why the legal reforms of 2025 matter, said Amirudin.
He pointed to the Cyber Security Act 2024, Malaysia’s first law built specifically for cybersecurity, which applies across National Critical Information Infrastructure in 13 critical sectors.
“Within the Act, there are many regulations. Critical infrastructure organisations must conduct risk assessments, carry out audits on their systems and strengthen incident response mechanisms.
“It shows that we cannot depend on the government alone. Organisations themselves must be responsible and this Act introduces accountability.
“Data is a core element of the digital ecosystem. Protecting personal data is fundamental.”
He also lauded amendments to the Personal Data Protection Act 2010, which came into force on June 1, and the Data Sharing Act 2025 framework passed by Parliament in December 2024 and fully enforced on April 28 this year, which were designed to allow government agencies to share data legally under defined conditions.
“Previously, agencies worked in silos. This enables digital government to function more effectively.”
As he prepares to step down from his position in helming CyberSecurity Malaysia, Amirudin said he remains open to contributing in an advisory capacity in the public or private sector.
He expressed hope to continue supporting the cybersecurity ecosystem “directly or indirectly” beyond his tenure at CyberSecurity Malaysia.
He said the next leadership must rest on the principles of uncompromising integrity, teamwork and institutional trust.
“Once trust is broken, people will no longer believe.”
